Legal Insight: White House Issues New Cybersecurity Executive Order

If you have listened to some of our webinars, you’ve heard me recommend reviewing legal analysis of the voluminous or complex new vendor management regulatory guidance. Rather than digging through hundreds of pages, there are some terrific law firms out there who quickly digest and dissect the new regulations into a couple of pages of meaningful information that you can easily understand. One of my absolute favorite firms is Ballard Spahr, a very well respected and long time industry expert. On staff they have numerous former regulators and real financial services experts. 

We thought you might like to see some of their work so they have kindly agreed that we can share it with you here – it’s helpful to get their perspective on important issues shaping our industry. Today, we’re featuring the tone from the top – in this case the executive branch – on the important national cybersecurity focus. And with this, it should also make you think specifically about vendor management cybersecurity. It’s a timely topic and one that I know causes all of us great concern. Enjoy the Ballard Spahr piece and, if you’d ever like to learn more about them, I’d be happy to introduce you to some friends and former colleagues who work there."

White House Issues New Cybersecurity Executive Order

The following publication was written by members of Ballard Spahr’s Privacy and Data Security Group

President Trump recently signed the Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure (Order). The Order sets forth the Trump Administration's policy for cybersecurity of federal networks and calls for executive departments and agencies (Agencies) to secure their information technology and data using "all United States Government capabilities." The Order also describes how agencies will be expected to support the cybersecurity risk management efforts of critical infrastructure entities, including the financial services sector, and take steps to protect against cyber threats that could result in catastrophic regional or national effects to the nation's economic security and other critical sectors. Industry experts have generally been supportive of the Order, noting that it builds on President Obama's 2013 Executive Order.

U.S. policy has focused on protecting critical infrastructure since the Commission on Critical Infrastructure Protection was established by President Clinton in 1996. In 2013, President Obama identified 16 critical infrastructure sectors in Presidential Policy Directive 21, including financial services, energy, health care, and communications. President Trump's Order directs the Secretaries of Homeland Security and Defense, the Directors of National Intelligence, and the Federal Bureau of Investigation, and the heads of all appropriate Agencies to take the following steps to help support the owners and operators of critical infrastructure:

• Increased Support: Agency heads will identify "authorities and capabilities" that could be employed to support cybersecurity risk management of critical infrastructure entities. The Order requires agencies to engage such entities and solicit their input on how best to support their cybersecurity risk management.  
• Market Transparency: Within 90 days, President Trump will receive a report that examines the sufficiency of existing federal policies and practices to promote appropriate market transparency of cybersecurity risk management practices by critical infrastructure entities.
• Resilience Against Threats: The Secretaries of Commerce and Homeland Security will identify and promote action by the appropriate stakeholders to improve the resilience of the internet and communications ecosystem and to encourage collaboration, with the goal of reducing threats perpetrated by botnets and other automated and distributed attacks. A preliminary report on this effort will be made publicly available within 240 days of the Order.

The Order also addresses how agencies will ensure that cybersecurity threats to the internet and the American people are mitigated, while respecting privacy and guarding against disruption, fraud, and theft. Among other measures, the Order requires:

• Deterrence and Protection: The Order directs the Secretaries of State, Treasury, Defense, Commerce and Homeland Security, along with the Attorney General, the U.S. Trade Representative and the Director of National Intelligence to submit a report to the President on strategic options for "deterring adversaries and better protecting the American people from cyber threats."
• International Cooperation: The Order also directs agencies to foster international cooperation in countering cyber threats. The President will receive a report within 45 days that outlines international cybersecurity priorities, including those concerning cyber threat information sharing, capacity building and cooperation, and, in 90 days, a report that documents an engagement strategy for international cooperation on cybersecurity.
• Cybersecurity Workforce: To ensure that the United States maintains a cybersecurity advantage long term, the Order tasks the Secretaries of Commerce, Homeland Security, Defense, Labor and Education, and the Director of the Office of Personnel Management with developing a plan to assess and bolster the cybersecurity workforce.

The Order is not intended to interfere with any existing cybersecurity laws, such as the Gramm-Leach-Bliley Act, or authority granted to any other federal agencies.

Ballard Spahr's Privacy and Data Security Group helps clients navigate the many laws designed to safeguard health, financial, and other private information. The Group focuses on financial privacy and security by design—evaluating new products and services and communications channels to ensure that financial institutions are meeting their privacy and data security obligations.

This publication was written by members of Ballard Spahr’s Privacy and Data Security Group.

ABOUT BALLARD SPAHR

Ballard Spahr LLP, an Am Law 100 law firm with more than 500 lawyers in 15 offices in the United States, provides a range of services in litigation, business and finance, real estate, intellectual property, and public finance. Our clients include Fortune 500 companies, financial institutions, life sciences and technology companies, health systems, investors and developers, government agencies and sponsored enterprises, educational institutions, and nonprofit organizations. The firm combines a national scope of practice with strong regional market knowledge. For more information, please visit www.ballardspahr.com

Download our helpful infographic to learn how to protect your institution from vendor management cybersecurity threats in 2017.